In June 2013 Yahoo decided to reset accounts which have been latent for a period of 12 or more months. The company further announced that it will give the accounts to other users, which provoked various privacy and security questions. The IT experts expressed their fear concerning the identity theft potential, considering the possibility the old Yahoo account to be linked to other online services. In such cases the new user would just need to request a password reset in order to gain access. Yahoo reassured the users that it will do the things right and not allow such things to happen. The company further stated that less than 10 percent of the Yahoo IDs that were not active were actually connected to Yahoo email accounts.
Facebook, however, requested an extra measure of assurance. In collaboration with Yahoo, the company developed a special SMTP extension that was called RRVS (Require Recipient Valid Since). This extension inserts a timestamp in the header of the email message and it indicates when for the last time did Facebook confirmed the ownership of the Yahoo account. This means that if the ownership of the account has been changed after the last confirmation, Yahoo is in the capacity to prevent the sending of messages with sensitive information to the wrong hands.
Last Thursday Facebook announced the approval of the RRVS Request for Comments draft, now considered a Proposed Standard by the IETF. According to the draft, the intended usage of these facilities is on the automatically generated messages which might include sensitive information. However, later it might be used in other applications as well.
Facebook’s main concern is the protection of the accounts that are connected to the Yahoo account which has been recycled, and which could have been taken over by the recycled Yahoo email address. With the RRVS extension being used, the senders can prevent messages from being sent to other people but the intended recipient who owned the mailbox at a certain period of time.
According to the information in the draft, the receiving system can compare this information with the point in time at which the address was assigned to its current user. In case the assignment was made later that the moment indicated in the message, this means that the current user of the address is most probably not the correct recipient. In this way the system can prevent the delivery and even notify the original sender.
Facebook tries to protect its users and this is not the first time that the company acts in this way. In May the company asked its email providers to start using STARTTLS. Three months later, the company confirmed that 95 % of its outbound notification emails were encrypted using Perfect Forward Secrecy and certificate validation on the sender and the recipient.
A week ago, Facebook launched a tool that mines hacker forums and paste sites which are in search of stolen credentials that would match the ones that belong to Facebook accounts. This tool was created in answer to the data breaches that had stolen credentials on focus. Facebook confirmed that if a Facebook credential is found, the company will notify its user.
Earlier this month it was announced that Facebook will double the bounty payments through the end of the year, in case of vulnerabilities in its advertising code.